How to Prevent and Remove the Packed.Win32.Black.a

How to Prevent and Remove the Backdoor.Win32.Agent.xf

1. What is the Backdoor.Win32.Agent.xf

Backdoor.Win32.Agent.xf is a type of backdoor virus that can provide an attacker with access to, and control of, an infected computer. Backdoor.Win32.Agent.xf is a PE executable. Usually, Backdoor.Win32.Agent.xf may be packed with UPX, Unpacked, the code size is 710kb. Normally, Backdoor.Win32.Agent.xf is spreaded through a website, or even via instant Messengers (IM) such Yahoo, MSN, Skype and ICQ.

When Backdoor.Win32.Agent.xf file is started, it copies itself as a file named something similar to “Hacker.com.cn.exe” in the Windows System folder and then uses the following processes to make Backdoor.Win32.Agent.xf itself to look like a valid Windows program. In order to get rid of the Backdoor.Win32.Agent.xf, it is suggested you to use Best Spyware Scanner with its outstanding antispyware utilities.

Alias: Backdoor.Trojan [Symantec],Generic packed [McAfee],Win32.SuspectCrc [Ikarus],Win-Trojan/Agent.310510 [AhnLab]

2.Technical Details:

a. The following files were created in the system:

No.	Filename	Size
1	%Temp%\105171 [file and pathname of the sample #1]	310,517 bytes
2	%System%\Archive.txt	0 bytes
3	%System%\LoginCMD.exe	6,144 bytes
4	%System%\YMSG12ENCRYPT.dll	46,080 bytes

Notes:
- %Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
- %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

b. Memory Modifications

There were new memory pages created in the address space of the system process(es):

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	716,800 bytes
LoginCMD.exe	%System%\logincmd.exe	32,768 bytes

c. Other details

The following port was open in the system:

Port	Protocol	Process
1052	TCP	[file and pathname of the sample #1]

There was registered attempt to establish connection with the remote host. The connection details are:

Remote Host	Port Number
98.136.48.78	5050

3. How-to's

a. How to prevent the Backdoor.Win32.Agent.xf ?

Please update the policy basic knowledge of Sax2 in time, Once Ax3soft sax2 detects the communication of these trojans, it will break them and ensure your network & business security.

b. How to Remove the Backdoor.Win32.Agent.xf Manually?

Step 1 : Use Windows Task Manager to Remove Backdoor.Win32.Agent.xf Processes

[file and pathname of the sample #1]
%System%\logincmd.exe

Step 2 : Detect and Delete Other Backdoor.Win32.Agent.xf Files

%Temp%\105171
[file and pathname of the sample #1]
%System%\Archive.txt
%System%\LoginCMD.exe
%System%\YMSG12ENCRYPT.dll

c. How to Remove these trojans Instantly?

Manual removal is a difficult process and it is not recommend unless you are an expert in this field. Therefore, you best defense is to download and install a reliable anti-spyware program to scan spyware on your machine. In order to detect computer threats in the easiest and fastest way possible, we advised trying the Malwarebytes' Anti-Malware, it is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. visit http://www.ids-sax2.com/Malwarebytes-Anti-Malware.htm and download Malwarebytes' Anti-Malware to help you.

4. Appendix

For more information, please visit http://www.ids-sax2.com/ComputerSecurityNewsletter.htm